#!/bin/bash
# =================================================================
# LimeReader 签名验证脚本
# 用途：验证应用的代码签名状态（无需 sudo）
# =================================================================

APP_PATH="/Applications/LimeReader.app"

echo ""
echo "=========================================="
echo " LimeReader 签名验证"
echo "=========================================="
echo ""

# 检查应用是否存在
if [ ! -d "$APP_PATH" ]; then
    echo "[ERROR] ❌ 未找到应用程序: $APP_PATH"
    exit 1
fi

echo "[INFO] 找到应用: $APP_PATH"
echo ""

# 1. 检查签名详细信息
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "[1] 应用签名详细信息:"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
codesign -dv "$APP_PATH" 2>&1 | grep -v "^$" || echo "  ⚠️  无签名信息"
echo ""

# 2. 验证签名
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "[2] 签名验证:"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
if codesign -v "$APP_PATH" 2>&1; then
    echo "  ✅ 签名有效"
else
    echo "  ❌ 签名无效或缺失"
fi
echo ""

# 3. 详细验证
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "[3] 详细验证 (-vvv):"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
codesign -vvv "$APP_PATH" 2>&1 | head -20
echo ""

# 4. 检查主执行文件
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "[4] 主执行文件签名:"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
MAIN_EXEC="$APP_PATH/Contents/MacOS/LimeReader"
if [ -f "$MAIN_EXEC" ]; then
    if codesign -v "$MAIN_EXEC" 2>&1; then
        echo "  ✅ 主执行文件签名有效"
    else
        echo "  ❌ 主执行文件签名无效"
    fi
    
    # 检查执行权限
    if [ -x "$MAIN_EXEC" ]; then
        echo "  ✅ 可执行权限正常"
    else
        echo "  ⚠️  缺少可执行权限"
    fi
else
    echo "  ❌ 找不到主执行文件"
fi
echo ""

# 5. 检查隔离属性
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "[5] 隔离属性检查:"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
QUARANTINE=$(xattr -l "$APP_PATH" 2>/dev/null | grep "com.apple.quarantine")
if [ -z "$QUARANTINE" ]; then
    echo "  ✅ 无隔离属性（正常）"
else
    echo "  ⚠️  存在隔离属性："
    echo "     $QUARANTINE"
    echo "     建议移除: sudo xattr -dr com.apple.quarantine $APP_PATH"
fi
echo ""

# 6. 检查关键框架
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "[6] 关键框架签名检查:"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
FRAMEWORKS_OK=0
FRAMEWORKS_FAIL=0

if [ -d "$APP_PATH/Contents/Frameworks" ]; then
    for fw in "$APP_PATH/Contents/Frameworks"/Qt*.framework; do
        if [ -d "$fw" ]; then
            FW_NAME=$(basename "$fw")
            if codesign -v "$fw" 2>&1 >/dev/null; then
                echo "  ✅ $FW_NAME"
                FRAMEWORKS_OK=$((FRAMEWORKS_OK + 1))
            else
                echo "  ❌ $FW_NAME"
                FRAMEWORKS_FAIL=$((FRAMEWORKS_FAIL + 1))
            fi
        fi
    done
    echo ""
    echo "  统计: $FRAMEWORKS_OK 个成功, $FRAMEWORKS_FAIL 个失败"
else
    echo "  ⚠️  未找到 Frameworks 目录"
fi
echo ""

# 7. 尝试运行测试
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "[7] 快速运行测试:"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "  尝试调用主执行文件（1秒超时）..."

# 使用 timeout 测试是否能启动
if timeout 1s "$MAIN_EXEC" --version 2>/dev/null >/dev/null; then
    echo "  ✅ 应用可以启动"
elif [ $? -eq 124 ]; then
    echo "  ✅ 应用可以启动（超时正常）"
else
    EXIT_CODE=$?
    echo "  ❌ 应用无法启动（退出码: $EXIT_CODE）"
    
    # 检查系统日志
    echo ""
    echo "  查看系统安全日志（最近 30 秒）:"
    log show --predicate 'subsystem == "com.apple.security" OR subsystem == "com.apple.syspolicy"' \
             --last 30s 2>/dev/null | grep -i "limereader\|denied\|blocked" | tail -5 || echo "    （无相关日志）"
fi
echo ""

# 总结
echo "=========================================="
echo " 总结"
echo "=========================================="
echo ""

# 综合判断
ALL_OK=true

if ! codesign -v "$APP_PATH" 2>&1 >/dev/null; then
    echo "❌ 应用签名无效或缺失"
    ALL_OK=false
fi

if [ -n "$QUARANTINE" ]; then
    echo "⚠️  存在隔离属性（可能导致首次运行问题）"
fi

if [ $FRAMEWORKS_FAIL -gt 0 ]; then
    echo "❌ 部分框架签名失败"
    ALL_OK=false
fi

if [ "$ALL_OK" = true ]; then
    echo "✅ 所有检查通过！应用应该可以正常运行"
    echo ""
    echo "运行命令:"
    echo "  open /Applications/LimeReader.app"
else
    echo "❌ 发现问题，建议运行修复脚本:"
    echo "  sudo bash fix_installed_app.sh"
fi
echo ""

